<IfModule mod_ssl.c>
  #
  # Pseudo Random Number Generator (PRNG):
  # Configure one or more sources to seed the PRNG of the SSL library.
  # The seed data should be of good random quality.
  # WARNING! On some platforms /dev/random blocks if not enough entropy
  # is available. This means you then cannot use the /dev/random device
  # because it would lead to very long connection times (as long as
  # it requires to make more entropy available). But usually those
  # platforms additionally provide a /dev/urandom device which doesn't
  # block. So, if available, use this one instead. Read the mod_ssl User
  # Manual for more details.
  #
  SSLRandomSeed startup builtin
  SSLRandomSeed startup file:/dev/urandom 512
  SSLRandomSeed connect builtin
  SSLRandomSeed connect file:/dev/urandom 512

  ##
  ##  SSL Global Context
  ##
  ##  All SSL configuration in this context applies both to
  ##  the main server and all SSL-enabled virtual hosts.
  ##

  #
  #   Some MIME-types for downloading Certificates and CRLs
  #
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl

  #   Pass Phrase Dialog:
  #   Configure the pass phrase gathering process.
  #   The filtering dialog program (`builtin' is a internal
  #   terminal dialog) has to provide the pass phrase on stdout.
  SSLPassPhraseDialog <%= @pass_phrase_dialog %>

  #   Inter-Process Session Cache:
  #   Configure the SSL Session Cache: First the mechanism
  #   to use and second the expiring timeout (in seconds).
  SSLSessionCache         <%= @session_cache %>
  SSLSessionCacheTimeout  <%= @session_cache_timeout %>

  #   SSL Cipher Suite:
  #   List the ciphers that the client is permitted to negotiate.
  #   See the mod_ssl documentation for a complete list.
  #   enable only secure ciphers:
  SSLCipherSuite <%= @cipher_suite %>

  #   Speed-optimized SSL Cipher configuration:
  #   If speed is your main concern (on busy HTTPS servers e.g.),
  #   you might want to force clients to specific, performance
  #   optimized ciphers. In this case, prepend those ciphers
  #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
  #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
  #   (as in the example below), most connections will no longer
  #   have perfect forward secrecy - if the server's key is
  #   compromised, captures of past or future traffic must be
  #   considered compromised, too.
  #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
  SSLHonorCipherOrder <%= @honor_cipher_order %>

  #   The protocols to enable.
  #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
  #   SSL v2  is no longer supported
  SSLProtocol <%= @protocol %>

  #   Allow insecure renegotiation with clients which do not yet support the
  #   secure renegotiation protocol. Default: Off
  SSLInsecureRenegotiation <%= @insecure_renegotiation %>

<% unless @strict_sni_vhost_check == "Off"%>
  #   Whether to forbid non-SNI clients to access name based virtual hosts.
  #   Default: Off
  SSLStrictSNIVHostCheck <%= @strict_sni_vhost_check %>
<% end %>

  #   Enable compression on the SSL level
  #   Enabling compression causes security issues in most setups (the so called CRIME attack).
  #   Default: Off
  SSLCompression <%= @compression %>

  #   OCSP Stapling, only in httpd 2.3.3 and later
  #   This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS
  #   extension specified in RFC 6066. If enabled (and requested by the client), mod_ssl will
  #   include an OCSP response for its own certificate in the TLS handshake.
  #   Configuring an SSLStaplingCache is a prerequisite for enabling OCSP stapling.
  #   Default: Off
  <% if @use_stapling  == 'On' -%>
  SSLUseStapling         <%= @use_stapling %>
  SSLStaplingResponderTimeout <%= @stapling_responder_timeout %>
  SSLStaplingReturnResponderErrors <%= @stapling_return_responder_errors %>
  SSLStaplingCache        <%= @stapling_cache %>
  <% end -%>

  <% unless @directives.nil? -%>
  <% @directives.sort_by { |key, val| key }.each do |directive, value| -%>
      <%= directive %> <%= value %>
  <% end -%>
  <% end -%>
</IfModule>
